Local authorities in India-controlled Kashmir have opened a case against hundreds of people who used virtual private networks (VPNs) to circumvent a social media ban in the disputed Himalayan region in a move that has been denounced by human rights and privacy activists.
Tahir Ashraf, who heads the police cyber division in Srinagar, said on Tuesday that the authority had identified and was probing hundreds of suspected users who he alleged misused social media to promote “unlawful activities and secessionist ideology.”
On Monday, the police said they had also seized “a lot of incriminating material” under the Unlawful Activities Prevention Act (UAPA), the nation’s principal counter-terrorism law. Those found guilty could be jailed up to seven years.
“Taking a serious note of misuse of social media, there have been continuous reports of misuse of social media sites by the miscreants to propagate the secessionist ideology and to promote unlawful activities,” the region’s police said in a statement.
The move comes weeks after the Indian government restored access to several hundred websites, including some shopping websites such as Amazon India and Flipkart and select news outlets. Facebook, Twitter and other social media services remain blocked, and mobile data speeds remain capped at 2G speeds.
One analysis found that 126 of 301 websites that had been unblocked were only usable to “some degree.” To bypass the censorship on social media and access news websites, many in the disputed region, home to more than 7 million people, began using VPN services.
“The Government of India has almost total control over what information is coming out of the region,” said Avinash Kumar, executive director of human rights campaign group Amnesty International India.
“While the Government has a duty and responsibility to maintain law and order in the state, filing cases under counter-terrorism laws such as UAPA over vague and generic allegations and blocking social media sites – is not the solution. The Indian government needs to put humanity first and let the people of Kashmir speak,” he urged the government.
Mishi Choudhary, executive director of New Delhi-based Software Law and Freedom Centre, said that the authority did not need to chase people who are using VPNs, and should restore internet access like any other democratic society.
“Any alleged rumors can be addressed by putting out accurate and more information through the same social media platforms. Content-based restrictions on speech can only be allowed within the restrictions established by the Constitution and not in an ad hoc manner,” she said.
Networking software giant Citrix Systems says malicious hackers were inside its networks for five months between 2018 and 2019, making off with personal and financial data on company employees, contractors, interns, job candidates and their dependents. The disclosure comes almost a year after Citrix acknowledged that digital intruders had broken in by probing its employee accounts for weak passwords.
Citrix provides software used by hundreds of thousands of clients worldwide, including most of the Fortune 100 companies. It is perhaps best known for selling virtual private networking (VPN) software that lets users remotely access networks and computers over an encrypted connection.
In March 2019, the Federal Bureau of Investigation (FBI) alerted Citrix they had reason to believe cybercriminals had gained access to the company’s internal network. The FBI told Citrix the hackers likely got in using a technique called “password spraying,” a relatively crude but remarkably effective attack that attempts to access a large number of employee accounts (usernames/email addresses) using just a handful of common passwords.
In a statement released at the time, Citrix said it appeared hackers “may have accessed and downloaded business documents,” and that it was still working to identify what precisely was accessed or stolen.
But in a letter sent to affected individuals dated Feb. 10, 2020, Citrix disclosed additional details about the incident. According to the letter, the attackers “had intermittent access” to Citrix’s internal network between Oct. 13, 2018 and Mar. 8, 2019, and that there was no evidence that the cybercrooks still remain in the company’s systems.
Citrix said the information taken by the intruders may have included Social Security Numbers or other tax identification numbers, driver’s license numbers, passport numbers, financial account numbers, payment card numbers, and/or limited health claims information, such as health insurance participant identification number and/or claims information relating to date of service and provider name.
It is unclear how many people received this letter, but the communication suggests Citrix is contacting a broad range of individuals who work or worked for the company at some point, as well as those who applied for jobs or internships there and people who may have received health or other benefits from the company by virtue of having a family member employed by the company.
Citrix’s letter was prompted by laws in virtually all U.S. states that require companies to notify affected consumers of any incident that jeopardizes their personal and financial data. While the notification does not specify whether the attackers stole proprietary data about the company’s software and internal operations, the intruders certainly had ample opportunity to access at least some of that information as well.
Shortly after Citrix initially disclosed the intrusion in March 2019, a little-known security company Resecurityclaimed it had evidence Iranian hackers were responsible, had been in Citrix’s network for years, and had offloaded terabytes of data. Resecurity also presented evidence that it notified Citrix of the breach as early as Dec. 28, 2018, a claim Citrix initially denied but later acknowledged.
Iranian hackers recently have been blamed for hacking VPN servers around the world in a bid to plant backdoors in large corporate networks. A report released this week (PDF) by security firm ClearSky details how Iran’s government-backed hacking units have been busy exploiting security holes in popular VPN products from Citrix and a number of other software firms.
ClearSky says the attackers have focused on attacking VPN tools because they provide a long-lasting foothold at the targeted organizations, and frequently open the door to breaching additional companies through supply-chain attacks. The company says such tactics have allowed the Iranian hackers to gain persistent access to the networks of companies across a broad range of sectors, including IT, security, telecommunications, oil and gas, aviation, and government.
How would your organization hold up to a password spraying attack? As the Citrix hack shows, if you don’t know you should probably check, and then act on the results accordingly. It’s a fair bet the bad guys are going to find out even if you don’t.
This entry was posted on Wednesday, February 19th, 2020 at 10:55 am and is filed under A Little Sunshine, Data Breaches. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.
A Google AI tool that can recognize and label what's in an image will no longer attach gender tags like "woman" or "man" to photos of people.
Google's Cloud Vision API is a service for developers that allows them to, among other things, attach labels to photos identifying the contents.
The tool can detect faces, landmarks, brand logos, and even explicit content, and has a host of uses from retailers using visual search to researchers identifying animal species.
In an email to developers on Thursday morning, seen by Business Insider, Google said it would no longer use "gendered labels" for its image tags. Instead, it will tag any images of people with "non-gendered" labels such as "person."
Google said it had made the change because it was not possible to infer someone's gender solely from their appearance. It also cited its own ethical rules on AI, stating that gendering photos could exacerbate unfair bias.
Per the email: "Given that a person's gender cannot be inferred by appearance, we have decided to remove these labels in order to align with the Artificial Intelligence Principles at Google, specifically Principle #2: Avoid creating or reinforcing unfair bias."
Frederike Kaltheuner, a tech policy fellow at Mozilla with expertise on AI bias, told Business Insider that the update was "very positive."
She said in an email: "Anytime you automatically classify people, whether that's their gender, or their sexual orientation, you need to decide on which categories you use in the first place — and this comes with lots of assumptions.
"Classifying people as male or female assumes that gender is binary. Anyone who doesn't fit it will automatically be misclassified and misgendered. So this is about more than just bias — a person's gender cannot be inferred by appearance. Any AI system that tried to do that will inevitably misgender people."
Google notes in its own AI principles that algorithms and datasets can reinforce bias: "We will seek to avoid unjust impacts on people, particularly those related to sensitive characteristics such as race, ethnicity, gender, nationality, income, sexual orientation, ability, and political or religious belief."
Google invited affected developers to comment on its discussion forums. Only one developer had commented at the time of writing, and complained the change was down to "political correctness."
"I don't think political correctness has room in APIs," the person wrote. "If I can 99% of the times identify if someone is a man or woman, then so can the algorithm. You don't want to do it? Companies will go to other services."
Business Insider has approached Google for comment.
I have a love-hate relationship with my iPhone. I love the hardware, Apple’s attention to detail in iOS, and the quality of apps that developers have created. But I hate Apple’s walled garden that limits how I use my iPhone every day. I can’t change my default browser; every time I click an email address, I’m forced into an inferior iOS email client; and Apple’s tight OS restrictions mean customization and app features are limited compared to Android.
Rumors suggest Apple is weighing improving some of these restrictions in iOS 14. This upcoming OS update could be the ideal opportunity for Apple to lower its walls a bit, just as regulators in the US and Europe are starting to ask questions about how Apple exerts control over its mobile platform.
Bloomberg reported yesterday that Apple is considering allowing apps like Chrome or Gmail to be set as defaults in iOS 14. It’s a relatively small change, but one that would have a big impact on app developers who compete with Apple’s built-in apps. Windows, Android, and macOS all allow third-party apps to be set as default, but iOS has remained an outlier for more than a decade. Over the past 10 years, competitors have created richer email clients that integrate with full-featured calendar apps that can also be viewed in more extensible mobile browsers that sync across a variety of platforms not owned by Apple. Meanwhile, the iOS experience still forces you into Apple’s often-inferior apps.
iOS 14 is an ideal time to relax default app restrictions, just as regulators in Europe and the US are examining Apple’s overall mobile platform and influence. The EU has reportedly been preparing to launch an Apple antitrust investigation after Spotify filed a complaint over Apple favoring its own music service with restrictions on rivals. Spotify also complained about Apple’s requirements that iPhone users must purchase apps through its official App Store, which then charges developers a 30 percent commission.
Apple’s defense of Spotify’s complaint highlighted exactly how difficult it is to compete with the iPhone maker on a platform where Apple sets the rules and can change them on a whim. Developers looking to avoid Apple’s fees for in-app purchases are forbidden from telling their customers where and how they can pay outside of the App Store. That means apps like Netflix that don’t enable in-app purchases for subscriptions are not allowed to link to their website or even tell the user they need to go to netflix.com to sign up.
Complaints go beyond just Apple’s cut, though. Bluetooth tracking company Tile recently testified in a congressional antitrust hearing that Apple is undercutting potential competitors on its platform. Apple is rumored to be launching a competitor to Tile’s Bluetooth tracking tags, and Tile’s vice president and general counsel Kirsten Daru has accused Apple of using iOS to favor its own interests.
“Apple is acting as a gatekeeper to applications and technologies in a way that favors its own interests,” said Daru. “You might be the best soccer team, but you’re playing against a team that owns the stadium, the ball, and the league, and can change the rules when it wants.”
Sen. Elizabeth Warren, who is a contender for the Democratic nomination for president, is equally wary of Apple’s control of the App Store and believes the company should not get to both run the App Store and distribute apps in it. “It’s got to be one or the other,” she said in an interview with The Verge last year. “Either they run the platform or they play in the store. They don’t get to do both at the same time.”
Apple’s frustrating restrictions
Apple’s reluctance to allow iPhone owners to set their own default apps has created a frustrating situation that developers have tried to work around in a variety of ways. Apps like Outlook let you set Google Maps and Chrome as the defaults for mapping and web links, and others like YouTube simply open links in Chrome if you have the app installed. Instagram, TikTok, YouTube, Twitter, and others register their links on iOS as an Apple-sanctioned workaround to a lack of default app options. So if you click them from other apps, you’ll be transported to the native iOS app if it’s installed. But you can’t set those links to open in third-party Twitter clients or other alternatives.
Despite these workarounds, I’m still thrown into Safari far too often from links that friends and family send over iMessage or WhatsApp. And mailto links on the web push me into the built-in iOS email client, which I don’t even have configured. Siri is also the default and the only digital assistant I can call for with my voice from the lock screen. Alexa, Google Assistant, and Cortana are all restricted down to only working within their apps.
If Apple does relax its default app rules, it would improve the overall iOS experience for many — but it depends how far it’s willing to go. Apple’s app restrictions run far deeper than limiting default apps and are often related to important security needs. Chrome, Edge, Firefox, Brave, and others have to use Safari’s WebKit-based browser engine in their apps, as Apple doesn’t allow rival rendering engines on iOS. This allows Apple to control the security and updates of how web content is rendered on devices in every app. Third-party apps are also limited in how they can interact with messages in iMessage and phone calls.
These restrictions improve the underlying security of iOS in many ways by limiting potentially harmful code from running freely and preventing apps from sending SMS messages on your behalf. But they also lead to a lack of competition and choice for iPhone users. Microsoft’s Your Phone app allows you to fully mirror and control an Android device from a Windows PC and even send and receive messages and take calls. The same app on iOS is practically useless, as none of these features work.
Another way Apple could lower its walls is by overhauling its App Store policies. Google, Nvidia, and Microsoft are also facing challenges launching their cloud-based game streaming services on iOS. It took nearly a year for Apple to approve Valve’s Steam Link app, even though it primarily streams games from your home PC. Apple initially rejected it for “business conflicts,” and it was likely related to the app allowing an iOS user to access the Steam app store within Apple’s tightly controlled ecosystem. Microsoft is currently testing the limits of these App Store policies with its xCloud beta, while revealing it’s having to limit its app due to the policies.
Apple has relaxed some of its strict iOS rules in the past, which could hint at how the company’s operating system will evolve in the future. Apple created CallKit to allow VoIP apps like WhatsApp, Skype, Messenger, and others to closely integrate into the phone dialer of the OS. You can now make and receive calls through WhatsApp, and they look like regular iPhone calls and even show up in the built-in phone call history.
Apple also relaxed its rules on third-party keyboards with iOS 8, and even Apple’s Messages app can now use the built-in QuickType keyboard feature to parse SMS codes into other apps. This improves a key time when you need other apps to access SMS codes, but if Apple is willing to relax its Messages restrictions even further, then it could allow competitors to create true alternatives to iMessage on the iPhone that would fully support RCS.
Unlevel playing field
Third-party app developers have been accusing Apple of stealing their app ideas for years and building them into iOS and macOS. Apple’s built alternatives to Bitmoji, Moment, IFTTT, Google Photos features, Houseparty, AR measuring apps, and many more. It even has a nickname: “Sherlocking,” which references features added to Apple’s Sherlock desktop search tool back in 2002 that were already available in a popular third-party Watson app.
Recently, Blix, the developer behind the BlueMail email management app, claims that Apple stole its anonymous email sign-in feature and then “suppressed” Blix’s iPhone app in search results and kicked its macOS app out of the App Store. Blix is now suing Apple and calling on others to speak out against what it claims are Apple’s unfair business tactics.
Sometimes, Apple’s native alternatives arrive just as it cracks down on third-party apps. Apple built screentime controls into iOS, which appeared just as it started cracking down on third-party apps that offered similar functionality. Apple later backed down from these changes, but the timing didn’t look great.
Apple also faces questions about restrictions on its platform that don’t always apply to its own apps. Apple recently started cracking down on location and Bluetooth features in iOS 13, offering reminders that third-party apps are using your location in the background. Although the feature is designed with privacy in mind, Apple doesn’t offer similar notifications for its own apps like Find My.
The pop-ups have turned into a nuisance for many as you have to repeatedly tap “always allow” every few days, despite explicitly telling iOS that you want an app to always have access to your location. Google is introducing similar restrictions on Android apps, but the same policies will apply to its own apps.
Apple also bends its own rules elsewhere in iOS by using push notifications to promote Apple Music, Apple TV Plus, or even Apple’s Carpool Karaoke show. Apple’s rules specifically state that push notifications “should not be used for advertising, promotions, or direct marketing purposes.”
The complaints are certainly mounting for Apple, and iOS 14 could be a chance for the company to alleviate some of the pressure from regulators while simultaneously improving the overall iPhone and iPad experience for consumers. If we’re able to pick up an iPhone in September and use our favorite email clients, browsers, and other apps a little more freely, then it will be a small but welcome lowering of Apple’s notorious walled garden.